- From: Michael Sweet <msweet@apple.com>
- Date: Wed, 13 Nov 2013 08:21:17 -0500
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Mark, On Nov 13, 2013, at 5:01 AM, Mark Nottingham <mnot@mnot.net> wrote: > ... > To be clear - we will still define how to use HTTP/2.0 with http:// URIs, because in some use cases, an implementer may make an informed choice to use the protocol without encryption. However, for the common case -- browsing the open Web -- you'll need to use https:// URIs and if you want to use the newest version of HTTP. For the record, I strongly believe that support for unencrypted HTTP/2.0 is still needed and useful, particularly when you are routing it over an already “secure" channel to a resource-constrained device. And there will likely be practical real-life limitations of what browser vendors choose to implement, i.e., no HTTP/2.0 support for http:// URIs. However, I honestly don’t see how this WG can actually enforce/mandate https:// and still allow http:// URIs. So long as unencrypted URIs are supported by HTTP/2.0, the best you can do is make security recommendations since TLS is not REQUIRED (in the RFC 2119 sense) for the open web. I also believe that HTTP/1.x has been so successful because of its ease (and freedom) of implementation. But IMHO restricting its use to https:// will only limit its use/deployment to sites/providers that can afford to deploy it and prevent HTTP/2.0 from replacing HTTP/1.1 in the long run. _______________________________________________________________ Michael Sweet, Senior Printing System Engineer, PWG Chair
Received on Wednesday, 13 November 2013 13:22:05 UTC